Thoughts on WikiLeaks

Ahhh….WikiLeaks. What a bizarre site. Is it making us stronger or is it a security problem? Both. It’s a V for Vendetta “freedom-fighter” vs “terrorist” type of situation.

Take the hacker community for a moment. At the higher levels of this group, a hacker will tell you that exposing the flaws in the most commonly used systems serves to force the makers of that software to develop strong defenses, and that their attacks force them to stay nimble enough to react to new threats. Without them, the makers of the systems would get sloppy, corners would be cut to rush products, and entire business systems would be exposed to terrorists or hostile nations. And it’s hard to say that this is not true. Hackers can wreak havoc on existing users. Sometimes illustrating system weakness comes at a price to company profits, IT staff, and to users.

Now enter the White Hat hacker. He’s a pain to some groups, but overall he may be helping. The White Hat hacker finds the holes, shows how an exploit can be done, and invites people to his site to see it. He gets a few fans and gets a few job offers. He doesn’t develop any hostile payload using the exploits. The companies who have their weaknesses posted then need to respond to fix their security problems because someone else might use the exploit with hostility. Think of him as a gun maker. It’s not the making of the gun that kills people, it’s the person who uses the gun. In this case, it’s not the discovery of the exploit…that was already there, waiting for someone to discover it.

In the case of WikiLeaks, this data was probably flowing already – it’s just that now instead of an underground river, it’s above ground. Maybe the armed forces new about it but kept it secret. Or worse yet…maybe they didn’t know how easy it was for Classified data to leave their systems, or how frequently it happens. These classified documents are just being passed out for free. No foreign government is paying people thousands of dollars. No organization is holding someone’s family hostage. I say that if it’s this easy and common for classified documents to leave the network, then don’t blame WikiLeaks – fix the problem! Before WikiLeaks, how many of these documents were going to the Middle East?

It’s like a losing team complaining that the winning team should have quit scoring touchdowns. You know what they should do…Stop ’em. If you don’t want them to score on you, play some defense. If you don’t want data to leave your network…get some tighter security.

It just strikes me that if Julian Assange can gather all this data for free…how many others are out there doing the same thing that we don’t know about?

Is he a pain in the side of the military? Sure. So are hackers (to the military, the government, private business, etc.). They cause endless hours of work for IT guys. But I’d rather get hit by a White Hat hacker who says “Hey – you’ve got this weakness right over here…and you better hurry up and address it” than get hit by a Black Hat who finds the weakness, keeps it secret, and sells it to others.

In other words, better that Assange publishes this data on WikiLeaks for the generals to see, than for someone else to keep it secret, so that no one even knows the military has a problem. Sometimes a little exposure brings attention to places that attention is needed. The real problem is that Top Secret and other Classified documents are so readily obtained. The Human Resources department and the IT department of the military need to get to work.